If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

i found this in my linux box which i ran the httpd...i read some book and this is an indication that my system been hacked?is this kind of hacking onli effective on IIS?what wil this do to my system. what kind of software they using to do this kind of hacking?

line 1: 403 was returned. This is forbidden.
line 2/3 : 200 was returned. This was successful. (no biggy, just downloaded some gifs)

Line 1: The last dash was replaced by "Mozilla/5.0 ...." . This is the type of browser that was used to access the page, if apache could figure it out. Notice how all those nimda lines end in "-" "-"...that means it couldn't detect a browser version...which means it was probably done either by a worm or someone using something like 'telnet' or 'netcat' to do the connection and then use HTTP commands to get the web page.

EDIT 2:

Man I love apache logs, so much information there (unlike IIS). The last thing of interest from your log files...notice how fast those connections were in your logs. Most of the connections from the ip where done several in the same second, most no more than five seconds apart. This should indicate to you that it was at a minimum automated (it would be difficult from someone to type that fast, if not impossible).

Verdit: Meaningless attacks by nimda infested hosts to which you were not vulnerable. T

There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

This is a unicode attack and MS 4.0 and 5.0 IIS Webservers are vulnerable unless they are hardened or had the appropriate patches applied.

If you have a IIS Webserver, they are full of security vulnerabilities and exploits. I suggest that you get a copy of the IIS Lockdown Tool from the M$ webpage.

SoggyBottom.

[glowpurple]There were so many fewer questions when the stars where still just the holes to heaven - JJ[/glowpurple] [gloworange]I sure could use a vacation from this bull$hit, three ringed circus side show of freaks. - Tool. [/gloworange]

**** i really got hacked...just onli...about 0715hrs...the symtoms was that i suddenly cannot access my access_log...then i went to top my linux...i saw a process call some update one...then my system went a bit hangy and my hdd activities was on...after a while the hdd activities stopped...so i went to cat my access_log...everything was gone...security_log was gone, mysql, apache err log and sendmail log were all gone...i nmap my system and the port open were as usual...so i supposed someone just came in and del my log files...what did the guy do to del my log?my root passwd was not changed...how did he got access to my system?

what is the update process for?my system log also gone...

Originally posted here by nebulus200 Ok, short answer, no you haven't been hacked. What you are seeing is the various incarnations of nimda trying to check your box to see if you are succeptible. Here is why you are not hacked:

1) You are running linux. These vulnerabilities only effect M$ stuff running IIS.
2) Judging from the log files this looks like apache, which is not vulnerable to these attacks.

Lastly, Take a look at the entry after the "GET ...." xxx yyyy "-" "-"

xxx is the HTTP code returned by your webserver for that request
yyy is the number of bytes of the response

You will see in chapter 10 a definition of what the response codes mean. Every response either returned 400 or 404. A quick glimpse through the specs and you will see

404 == 404 Not Found
400 == 400 Bad Request

Neither of which indicate success...

Now if this was a different attack and you saw HTTP return 200 (ok), then you should start to worry....

That make sense?

/nebulus

EDIT:

These lines are interesting for two reasons...

line 1: 403 was returned. This is forbidden.
line 2/3 : 200 was returned. This was successful. (no biggy, just downloaded some gifs) <- i think he is trying to test what web server i am running man, my log was all deleted. the powered_by.gif is a gif that shows 'powered by redhat linux' and the the apache_pb.gif is a picture of apache?**** man got spied. how command he used to issue the HTTP command in the telnet?

Line 1: The last dash was replaced by "Mozilla/5.0 ...." . This is the type of browser that was used to access the page, if apache could figure it out. Notice how all those nimda lines end in "-" "-"...that means it couldn't detect a browser version...which means it was probably done either by a worm or someone using something like 'telnet' or 'netcat' to do the connection and then use HTTP commands to get the web page.

EDIT 2:

Man I love apache logs, so much information there (unlike IIS). The last thing of interest from your log files...notice how fast those connections were in your logs. Most of the connections from the ip where done several in the same second, most no more than five seconds apart. This should indicate to you that it was at a minimum automated (it would be difficult from someone to type that fast, if not impossible).

Verdit: Meaningless attacks by nimda infested hosts to which you were not vulnerable. T

check your cron and make sure that your log files were not being rotated/compressed at this time, if so you may find the log files in the /var/log directory with the .gz extension. This could explain the hdd activity etc ...

nebulus200 is absolutely correct, your linux box is not compromised by this attack, I see it all the time here as well - it just fills the log files with rubbish.

check your cron and make sure that your log files were not being rotated/compressed at this time, if so you may find the log files in the /var/log directory with the .gz extension. This could explain the hdd activity etc ...

nebulus200 is absolutely correct, your linux box is not compromised by this attack, I see it all the time here as well - it just fills the log files with rubbish.

I have no idea whether your box was hacked or not, but one thing I can say for certain:
Based on the logs you showed here, I can say with 100% certaintity, that it is 100% impossible that you would have been compromised by those attacks shown in the logs you printed here. You may have another service that is vulnerable (type netstat -an) that someone got in on, maybe you have a badly misconfigured web server that allows write access to your logs, who knows, there are alot of possibilities (not all of which mean you have been hacked).

As far as you losing files, it could be the result of a hack, maybe your logging daemon crashed, maybe your system lost power while writing to / opening the file and the file was lost...there are more than one reason that those logs could be gone.

If your system is fairly new (which is how I take it), back up your data only to a CDROM (don't access any network services) and build the system from scratch. Be sure to check any other computers that may have had a trust relationship with that computer for unauthorized access and if you aren't running a switched environment change all passwords.

Make sure your patches are up to date, make sure you have turned off all unused services, and search around for some tutorials on hardening linux. You mentioned something about an update...are you running red hat's auto update thing? Maybe it hosed up...not sure.

Good luck,

/nebulus

There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

Originally posted here by nebulus200
[B]If your access_log is gone, where did you get those entries?i installed the system on 6 Feb 03 and b4 i left so few entries i have been looking at the log using Systems Log application...when my hdd was having some activites just now...i started to see nothing in the log file

I have no idea whether your box was hacked or not, but one thing I can say for certain:
Based on the logs you showed here, I can say with 100% certaintity, that it is 100% impossible that you would have been compromised by those attacks shown in the logs you printed here. You may have another service that is vulnerable (type netstat -an) that someone got in on, maybe you have a badly misconfigured web server that allows write access to your logs, who knows, there are alot of possibilities (not all of which mean you have been hacked).

As far as you losing files, it could be the result of a hack, maybe your logging daemon crashed, maybe your system lost power while writing to / opening the file and the file was lost...there are more than one reason that those logs could be gone.

If your system is fairly new (which is how I take it), back up your data only to a CDROM (don't access any network services) and build the system from scratch. Be sure to check any other computers that may have had a trust relationship with that computer for unauthorized access and if you aren't running a switched environment change all passwords.

Make sure your patches are up to date, make sure you have turned off all unused services, and search around for some tutorials on hardening linux. You mentioned something about an update...are you running red hat's auto update thing? Maybe it hosed up...not sure.

Good luck,

/nebulus

i am not sure what redhat auto update is it...i just setup the linux on adsl ethernet modem...so basically i am directly on the net...no firewall or what...

Refer back to nebulus200 first reply .... that line returned a 404 message (File not found) so basically its knocking on the door but can't come in - nothing to worry about.

I see the hdd activity corresponded with cron job time stamps. That would explain the activity.

If you are new to linux check out Bastille at http://www.bastille-linux.org, it is a hardening/firewall script which has been written for Redhat and others and will help you lock down your machine fairly securely until you get the hang of things. It has a user friendly GUI and has a step by step configuration with explanations as to what it is doing - so the set up is fairly straight forward.

As you are on an adsl connection you really do need to lock the machine down as you will be a prime target for crackers.

Originally posted here by Phat_Penguin Refer back to nebulus200 first reply .... that line returned a 404 message (File not found) so basically its knocking on the door but can't come in - nothing to worry about.

I see the hdd activity corresponded with cron job time stamps. That would explain the activity.

If you are new to linux check out Bastille at http://www.bastille-linux.org, it is a hardening/firewall script which has been written for Redhat and others and will help you lock down your machine fairly securely until you get the hang of things. It has a user friendly GUI and has a step by step configuration with explanations as to what it is doing - so the set up is fairly straight forward.

As you are on an adsl connection you really do need to lock the machine down as you will be a prime target for crackers.

but what do u suspect could have happened?thanks for providing the site...i will try to harden it from now..